Has the Cyber-War Begun?

A battle rages over the definition of
war -- war in cyberspace, that is.

A definition matters because the stakes
are already enormous in this "new geography of warfare."

Everyone agrees The First Great
Cyber-War (a decisive struggle over the Internet and within the Internet) has
not been fought -- yet. Cyber-skirmishing, however, is frequent and fierce, a
second-by-second form of digital probing and parrying that is cyberspace's
combat equivalent.

Computers store and share vast
quantities of data -- economic, military, intelligence, communications and
politically sensitive information are obvious targets for spies, thieves,
vandals, competitors and enemies. Digital systems control key infrastructure,
like electrical grids. Zap a central computer with digital viruses, and the
grid is damaged until the viruses are identified and removed. Repairing
generators and power lines after an aerial bomb attack is an analog. The
viruses, however, don't leave high-explosive craters.

And there's the rub. Is a
cyber-intrusion that disrupts and destroys an "armed attack," which
under international law would permit armed retaliation? Technology and
techniques have once again outpaced political adaptation, rendered military
doctrine obsolete, and are decades ahead of formal law.

Strategists, lawyers and warriors are
struggling with these complex, multidimensional issues. James Andrew Lewis, in
an essay titled "The Cyber War Has Not Begun" (published in March by
the Center for Strategic and International Studies), believes focusing on
cyber-security (protecting digital systems) "is a good thing."
However, Lewis argues, "We are not in a 'cyber war.' War is the use of
military force to attack another nation and damage or destroy its capability
and will to resist. Cyber war would involve an effort by another nation or a
politically motivated group to use cyber attacks to attain political ends. No
nation has launched a cyber attack or cyber war against the United
States."

Lewis provides a reasonable definition
of an act of war and its goals. Cyber-like attacks have been used in warfare.
Militaries are familiar with "cyber war in support of a conventional
war" (acronym CWSC). In the guise of "electronic warfare," this
type of "cyber support operation" has been going on since World War
II. However, with the Internet now a major part of the planet's commercial
infrastructure, "electronic warfare" has moved to another level. CWSC
can now attack strategic targets (e.g., international lending and trading
systems), not just the electronic weapons and communications of the combat
forces.

Lewis recognizes a non-state actor
("politically motivated group") can wage cyber-war. He also asserts no
nation (i.e., a nation-state) has launched a cyber-attack on the U.S., allowing
the possibility of attempts to wage cyber-war by terrorists. Lewis argues that
no nation-state has waged cyber-war or even launched a cyber-attack "to
attain political ends" because the U.S. can trace these attacks to their
source.

Guaranteed exposure is a deterrent
because the attacker would risk retaliation of some sort -- political,
economic, military or, presumably, cyber. I hope he is right, though even the
most informed speculations in this field are haunted by the "unknown
unknowns" that time and actual warfare inevitably reveal at high cost.

Lewis discusses four types of
cyber-threats and warns against conflating them: 1) economic espionage (theft
of proprietary business and economic data, and intellectual property); 2)
political and military espionage (traditional spying carried into cyberspace);
3) cyber crime (e.g., theft of money from bank accounts); and 4) cyber war. In
Lewis' view, cyber-attacks in cyber-war are "just another weapons
system" for hitting targets.

The categories suggest structural
responses. Police, trade and legal institutions, linked to international
agreements, become the mechanisms for addressing economic espionage and
cyber-crime. Defense and diplomatic organizations address cyber-espionage and
cyber-warfare. Lewis advocates creating international "norms" and
understandings for what constitutes an attack, and "an international
framework" to establish "potential consequences for differing levels
of hostile action."

However, determining levels of
hostility as a crisis emerges and escalates is a very stiff requirement.
History is riddled with surprise attacks whose devastating effects took time to
assess. The categories are really not so discrete.

In "real space" crime and
terror, and crime and rebellion all too easily mesh. Separating criminal from
rebel is often a tough judgment call. In my own view, skirmishing is warfare.
In cyber-space we are witnessing the potshots by light cavalry prior to a
larger clash, where opponents, at a calculated pace, probe for vulnerabilities
and seek decisive advantage.